Skip to main content
For AI agents: a documentation index is available at https://docs.coverbase.com/llms.txt — this page is also available in markdown by appending .md to the URL.
An obligation (cboblg_...) is a compliance obligation tracked against the org. Obligations created through this API are of type CUEC (complementary user-entity controls). This API exists for GRC sync and external visibility. All endpoints are org-scoped to the API key. See API conventions for shared behavior, including pagination.
MethodPath
GET/v1/obligations
POST/v1/obligations
GET/v1/obligations/{obligation_id}
PATCH/v1/obligations/{obligation_id}
None of these honor Idempotency-Key.

Status values

The status field accepts exactly:
ValueMeaning
satisfiedThe obligation is met.
not_satisfiedThe obligation is not met (default on create).
Any other value returns 400 invalid_status listing the accepted values.

List obligations

method
GET
GET /v1/obligations

Query parameters

vendor_id
string
Filter to obligations associated with a vendor (cbvndr_...).
obligation_status
string
Filter by status — satisfied or not_satisfied.
limit
integer
Page size. Default 50, range 1200.
offset
integer
Page offset. Default 0.

Example request

cURL
curl -X GET "https://sandbox.api.coverbase.app/v1/obligations?obligation_status=not_satisfied&limit=50" \
  -H "Authorization: Bearer ak_live_xxx"

Example response

{
  "items": [
    {
      "id": "cboblg_4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c",
      "statement": "Customer must enforce MFA on all admin accounts.",
      "status": "not_satisfied",
      "obligation_type": "cuec",
      "compliance_type": null,
      "vendor_document_id": "cbvdoc_1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d",
      "assignee_id": "cbuser_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
      "assignee_group_id": null,
      "due_date": 1749168000,
      "is_archived": false,
      "created_at": 1746576000,
      "updated_at": 1746576400
    }
  ],
  "total": 1,
  "limit": 50,
  "offset": 0
}

Obligation object

id
string
Obligation ID (cboblg_...).
statement
string
The obligation statement.
status
string
satisfied or not_satisfied.
obligation_type
string
Always cuec for obligations created via this API.
compliance_type
string | null
How compliance is established (manual, internal_control, or similar_obligation), if set.
vendor_document_id
string | null
Source vendor document (cbvdoc_...), if linked.
assignee_id
string | null
Assigned user (cbuser_...).
assignee_group_id
string | null
Assigned group, if assigned to a group instead of a user.
due_date
integer | null
Unix timestamp (seconds), if set.
is_archived
boolean
true if archived.
created_at
integer
Unix timestamp (seconds).
updated_at
integer
Unix timestamp (seconds).
The list envelope adds total, limit, offset — see pagination.

Create an obligation

method
POST
POST /v1/obligations
Returns 201 Created. obligation_type is always set to cuec.

Request body

statement
string
required
The obligation statement.
status
string
satisfied or not_satisfied. Defaults to not_satisfied.
vendor_document_id
string
Link to a source vendor document (cbvdoc_...).
assignee_id
string
Assign to a user (cbuser_...).
assignee_group_id
string
Assign to a group instead of a user.
due_date
integer
Unix timestamp (seconds).

Example request

cURL
curl -X POST "https://sandbox.api.coverbase.app/v1/obligations" \
  -H "Authorization: Bearer ak_live_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "statement": "Customer must enforce MFA on all admin accounts.",
    "status": "not_satisfied",
    "due_date": 1749168000
  }'
Returns the obligation object.

Error responses

StatusBodyWhen
400{"detail": {"code": "invalid_status", "message": "Invalid status '...'. Expected one of: satisfied, not_satisfied."}}status not one of the accepted values.
400{"detail": {"code": "invalid_obligation", "message": "..."}}Other business-rule rejection.
422Standard validation errorstatement missing or body malformed.

Retrieve an obligation

method
GET
GET /v1/obligations/{obligation_id}
cURL
curl -X GET "https://sandbox.api.coverbase.app/v1/obligations/cboblg_4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c" \
  -H "Authorization: Bearer ak_live_xxx"
Returns the obligation object.
StatusBodyWhen
404{"detail": {"code": "obligation_not_found", "message": "Obligation not found."}}Not found / not in the API key’s org.

Update / status-sync an obligation

method
PATCH
PATCH /v1/obligations/{obligation_id}
Push status, assignment, due-date, or statement changes (or archive) back into Coverbase. Only included fields change.

Request body

statement
string
Updated statement.
status
string
satisfied or not_satisfied.
assignee_id
string
Reassign to a user (cbuser_...).
assignee_group_id
string
Reassign to a group.
due_date
integer
New due date (Unix seconds).
is_archived
boolean
Archive (true) or restore (false).

Example request

cURL
curl -X PATCH "https://sandbox.api.coverbase.app/v1/obligations/cboblg_4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c" \
  -H "Authorization: Bearer ak_live_xxx" \
  -H "Content-Type: application/json" \
  -d '{ "status": "satisfied" }'
Returns the refreshed obligation object.

Error responses

StatusBodyWhen
400{"detail": {"code": "invalid_status", "message": "Invalid status '...'. Expected one of: satisfied, not_satisfied."}}status not accepted.
400{"detail": {"code": "invalid_update", "message": "..."}}Update otherwise rejected.
404{"detail": {"code": "obligation_not_found", "message": "Obligation not found."}}Not found / not in the API key’s org.
422Standard validation errorBody failed schema validation.